Hey guys,

working on my diploma thesis I am looking for next generation malware. I already examined storm, now I was trying to go for nugache. As the botmaster was captuered some weeks ago, I was wondering if this botnet still works? I have some samples from early 2007, they do not seem to work (and still use TCP/8). Anyone with newer samples to try?
Moreover I am looking out for Asprox samples or any other samples of botnets that use FastFlux technologies.

If anyone could provide some binaries, that would be superb...

Any help is greatly appreciated!

I recently took a break from poking at Storm to do real work on some custom malware recovered in a compromise here.

This analysis is of a MS GINA hook that encrypts its log file with RC4. I'm light on mechanical details of the reversing and instead have focused on screenshots, an overview of the investigation, and some perl code to do the decrypting.

You can get the analysis here:
Owning a GINA Hook

You can get the malware here:
25addfa74f1d414d8ed4803251c839cc

Over the last few days we have been getting a number of new emails with links to a specific fake video codec (which is actually a Trojan) ”get_flash_update.exe“. The attack appears to have infected a number of real and legitimate web-sites to act as malware distribution points.

The detailed analysis is here

Hi Everyone,

For those who are not members of the ISSA, I am posting a link to some specific research articles we published in this journal. Highlighting one in particular on some data concerning Crimeware-as-a-Service or better known as server-side polymorphism.

Enjoy!

Research Articles

Hello,

Here you can find a Reverse Engineering Analysis of Trojan-DownloaderWin32Small a diffused Trojan that is usually spreaded through Websites.

Trojan-DownloaderWin32Small

Have a nice read..

Regards,
Giuseppe 'Evilcry' Bonfa'

Hi Everyone,

I am posting my latest research on data security breaches and the effect that malcode has on corporations today from a data leakage perspective.

Anatomy of a Data Breach

Recently I have been doing some research into the vulnerabilities that exist with point-of-sales systems (POS) and their affect by Malware.

The research can be found here in my full blog posting:

POS Research Study

Hi All,

I am posting results from a research study conducted over a 6 month period with the aim of better understanding targeted attacks.

This report contains data points corresponding to the prevalence of certain crimeware families within a particular large police agency network we audited.

Ryan Sherstobitoff
Chief Corporate Evangelist
Panda Security US

The report can be found here

Research Study

One of my co-workers just learned that there is a malicious html page with his name on it! When I downloaded the page down we realized that it was not a targetted attack, but a variant of the malicious pages I reported under my MSN malicious results post.

This server actually had 3179 other html pages, each one with a name starting with Ryan-. The bad guys probably used a robot to collect information from web pages. More information here...

Colin and I have been looking at some interesting blog comment spam for a while. This (rough) paper contains some of our results:

Inside the Malicious World of Blog Comment Spam

Abstract – This paper describes the code, behavior and infrastructure of a blog comment spam attack. The particular blog spam attack explained here uses HTTP/javascript obfuscation and redirection to pass the victims browser through several websites, ultimately infecting the victims host using a handful of exploits. This paper will also cover some of the techniques and tools used
in analyzing the attack.

We had a previous post about some of this before as well.

Enjoy!

V.